Security threats to an organization's information systems can have a significant impact on its business goals. Malware and advanced persistent attacks are growing in number as well as damage. In 2010, the rise of targeted attacks included armored variations of Conficker. D and Stuxnet (which was referred to as the most advanced piece of malware ever created). Targeted attacks on Google, Intel, Adobe, Boeing, and an estimated 60 others have been extensively covered in the press. The state of the art security defenses have proved ineffective.
Cyber-criminals conduct methodical reconnaissance of potential victims to identify traffic patterns and existing defenses. Very sophisticated attacks involve multiple “agents” that individually appear to be legitimate traffic, then remain persistent in the target's network. The arrival of other agents may also be undetected, but when all are in the target network, these agents can work together to compromise security and steal targeted information.
Ways need to be found to better mitigate new attacks, identify compromised systems, reduce resolution time, and lower resolution cost. The coverage, context, and cost of current solutions may prevent customers from achieving those objectives. One approach has been the use of rigid hardware based solutions. This makes multi-site deployments impractical, and provides no protection for virtual and cloud infrastructures. Armoring can defeat first generation sandbox-based solutions.
In terms of context, legacy security solutions typically use a structured process (e.g., signature and heuristics matching) or analyze agent behavior in an isolated context, without the ability to detect future coordinated activity. These legacy solutions increase time to resolution. They produce an overload of alerts with an inability to effectively prioritize threads. The intelligence they provide is therefore often not actionable. Furthermore, legacy security solutions are not able to detect sophisticated malware that is armored, multi-component based delivery, and/or includes different forms of delayed execution.
Legacy solutions are also overpriced because their means of triage and mitigation is inefficient, and relies on overprovisioned appliances. In many implementations, they can consume up to 20-30% of an organization's security budget.